## https://sploitus.com/exploit?id=289C51DB-789E-5BBC-869B-291AC527B641
# CVE-2026-21509 โ Microsoft Office OLE Security-Feature Bypass
[](https://vulners.com/cve/CVE-2026-21509)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-21509)
[](https://cwe.mitre.org/data/definitions/807.html)
[](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
[](#)
> Research writeup by **Sentinel AI Defense**. Defensive analysis only โ no working exploit
> or PoC is published here for an actively exploited vulnerability.
A security-feature bypass in Microsoft Office that lets a crafted document load COM components the
OLE mitigations are supposed to block. Actively exploited by **APT28 (UAC-0001)** against Ukrainian
and Eastern European targets.
๐ Full writeup: https://sentinelaidefense.com/posts/cve-2026-21509-ole-bypass
---
## Overview
CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office stemming from reliance
on untrusted inputs in a security decision (CWE-807). It permits an unauthorized attacker to bypass
OLE mitigations locally when a user opens a specially crafted document. The flaw affects processing
of embedded objects, notably allowing instantiation of COM components that security controls are
intended to restrict.
Microsoft released an out-of-band update on **January 26, 2026**, following confirmation of active
exploitation. The vulnerability carries a CVSS v3.1 base score of **7.8**
(`AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`). It was added to the CISA Known Exploited Vulnerabilities
catalog shortly after disclosure.
## Affected Versions
- Microsoft Office 2016
- Microsoft Office 2019
- Office LTSC 2021
- Office LTSC 2024
- Microsoft 365 Apps for Enterprise
Patches address the issue across supported versions, with additional service-side mitigations for
newer Click-to-Run builds.
## Technical Breakdown (Root Cause)
The root cause lies in Office's validation logic for inputs used in security decisions around
OLE/COM object loading. Office maintains kill bits and compatibility flags to block known dangerous
COM objects via registry-based controls (e.g., under Office COM Compatibility locations).
Attackers can craft documents โ primarily RTF files containing OLE objects โ that manipulate how
these inputs are evaluated, causing Office to load restricted components such as `Shell.Explorer.1`
(CLSID `{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`). This control invokes the legacy
Internet Explorer / Trident engine, which operates with reduced restrictions compared to modern
sandboxing and allows loading of external resources (including LNK files) with minimal user
interaction.
No memory corruption primitives (buffer overflows, UAF) are required; exploitation relies on
structural manipulation of the document to bypass the OLE mitigation path. The bypass occurs during
document parsing and object initialization in processes like `winword.exe`.
## Attack Chain (based on CERT-UA observations)
CERT-UA documented campaigns attributed to **UAC-0001 (APT28)** using malicious DOC/RTF documents
themed around geopolitical topics (e.g., `Consultation_Topics_Ukraine(Final).doc`).
1. User opens the crafted document.
2. Exploitation of CVE-2026-21509 bypasses OLE protections, instantiating the `Shell.Explorer.1` object.
3. The object establishes a WebDAV connection to an external resource and downloads a file
(often a `.LNK` shortcut containing executable code).
4. Subsequent stages download and execute additional payloads โ dropper DLLs leading to **Covenant
Grunt** implants or the **MiniDoor** stealer. Variations include COM hijacking and region-specific
delivery.
The chain requires **no macros** and relies on the user opening the attachment. Exploitation was
observed as early as **January 29, 2026**, targeting Ukrainian government entities and expanding to
other Eastern European organizations.
## Detection Guidance
- Monitor for RTF/DOC files containing OLE objects with CLSID
`{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}` or references to `Shell.Explorer.1`.
- Detect anomalous WebDAV connections or downloads of `.LNK`/`.DLL` files originating from Office
processes shortly after document opens.
- YARA rules targeting specific OLE structures in RTF can flag potential exploits.
- Focus EDR on child processes spawned by Office (e.g., `regsvr32` via cmdline) and connections to
known C2 infrastructure.
Behavioral indicators include Office applications initiating network activity to external hosts via
legacy components.
## Indicators of Compromise (from CERT-UA)
- Malicious sample filenames such as `Consultation_Topics_Ukraine(Final).doc`.
- WebDAV URLs and associated downloaded `.LNK` files leading to Covenant Grunt or MiniDoor payloads.
- Hashes and command lines involving `regsvr32` for DLL loading (exact values tied to observed
campaigns; consult CERT-UA bulletins for full lists).
- Network indicators: connections to attacker-controlled servers for payload staging.
## Mitigation
Apply the Microsoft security update released **January 26, 2026**, for all affected versions. Where
immediate patching is not feasible (particularly Office 2016/2019), implement the registry-based COM
kill bit mitigation by setting **Compatibility Flags to `0x400`** for vulnerable CLSIDs.
Additional controls:
- Enable Protected View and macro restrictions.
- Restrict external content and WebDAV where possible.
- Use application control solutions to limit Office child process behavior.
- Monitor and block known malicious infrastructure.
- Quarantine inbound RTF at the mail gateway โ most orgs do not legitimately need RTF in email.
## References
- Microsoft MSRC advisory for CVE-2026-21509
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21509
- CISA Known Exploited Vulnerabilities Catalog
- CERT-UA bulletins on UAC-0001 / APT28 activity
## Disclaimer
This repository is published for **defensive and educational purposes only**. It contains analysis,
detection logic, and mitigation guidance. No functional exploit code is provided. Use this
information only on systems you are authorized to test and defend.
---
Maintained by Sentinel AI Defense ยท
Findings shared responsibly under coordinated disclosure.